Reverse proxy for incoming https

BBXBBX
edited November 2020 in Firebox - Proxies

I have a NGINX box inside the network which I currently use for reverse proxy for various subdomains as I have a number of web servers. This is a fairly basic setup where all HTTPS traffic hits the nginx box which then determines which web server to pass it onto based on the domain name in the URL.

I'm replacing my old firewall with a new T80. If I want to migrate the old NGINX box to the new T80 and use it for reverse proxy do I use the HTTPS Proxy or the Reverse Proxy function on the T80. I don't have a need for Access Portal and I have Basic Security Suite. So will I still be able to reverse proxy multiple domain URLs to various servers behind the T80 and if so which function should I use? These are mainly for application APIs from client sites so not really remote users but remote applications. Thanks.

Comments

  • You use the HTTPS proxy and select a HTTPS-Server proxy action.
    Then you can specify SNI entries and specifiy to what IP addr that packets matching that SNI get routed.

  • I use Content Actions to redirect incoming https requests to the correct web server.. See https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/general/content_actions_about_c.html

    Adrian from Australia

  • BBXBBX
    edited November 2020

    @Bruce_Briggs said:
    You use the HTTPS proxy and select a HTTPS-Server proxy action.
    Then you can specify SNI entries and specifiy to what IP addr that packets matching that SNI get routed.

    Thanks Bruce. I'm using this as an example
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/examples/routing_action_https_no-ci.html

    What I'm not sure of is under Settings, in the TO section what do I set this to? I have 2 Domain Names rules With one only using the policy default port (443).
    So do I need to set anything in the TO section? It's currently set to Any-Trusted. Confused by the SNAT setting it has there. Is this for default that is not listed in the domain names under the Proxy Action for that policy?

    Thanks.

  • For the HTTPS policy To: field you select a SNAT which is set up to point to your main web server, which will be the default value for the Routing action - the dest internal IP addr.

    A SNAT is used to forward packets from the Internet coming to an external IP addr on your firewall to a private IP addr behind your firewall.
    Setting To: = Any-trusted will not work to get to private IP addrs behind your firewall.

  • BBXBBX
    edited November 2020

    @Bruce_Briggs said:
    For the HTTPS policy To: field you select a SNAT which is set up to point to your main web server, which will be the default value for the Routing action - the dest internal IP addr.

    A SNAT is used to forward packets from the Internet coming to an external IP addr on your firewall to a private IP addr behind your firewall.
    Setting To: = Any-trusted will not work to get to private IP addrs behind your firewall.

    This is what I'm confused about, I have two separate physical internal web servers - both servicing a different subdomain. For a single HTTPS Proxy policy I've created 2 policy actions - one for each sub-domain. So what do I put in as the SNAT?

    I suspect I have to create a separate HTTPS Proxy policy for each subdomain and then set the SNAT point to each respective web server?

  • edited November 2020

    Choose 1 of the internal web server IP addrs for the SNAT.
    And have a single incoming HTTPS proxy.

  • I have a question on this. Does this policy act like a true Reverse Proxy? I would like to use a single IP for websites behind my Firewall and installed a HAProxy VM. But I would rather use the Firewall to do this if it is a true Reverse Proxy. Also, can the SNAT be directed to an internal IP that is not assigned to anything?

  • Yes, you can have multiple domains behind your firewall using a single IP addr.
    I assume that you can have the SNAT be for an internal IP that is not assigned to anything, as you can set a specific internal IP addr for each domain name entry.

Sign In to comment.